How to Spot Credential Phishing with Fake Security Certificates

Credential phishing is one of the easiest ways for attackers to make money, because it’s a numbers game. The more phishes you send out, the more bites you get. The more bites you get, the more money you make.

For years, executives were the most common targets for this type of phishing, but then attackers began to realize that this wasn’t the best strategy. After all, there are relatively few executives compared with other types of workers. They needed to cast a wider net. So it’s no surprise that, recently, everyday users (read: you and me) have become a very popular target.

The campaigns that target everyday users often look like they’re coming from Apple Support, DropBox, financial institutions, PayPal, and other popular services. The goal to steal a user’s ID and password, enabling the attacker to access even more valuable targets (and eventually, money).

So, how can you as a user make sure that when you enter your credentials, you aren’t being phished? And how can IT folks and business owners make sure their users aren’t falling for credential phishes?

Here’s what you need to know.

What Secure Logos Really Mean

Ever notice this green lock next to your browser’s URL address bar?

Once upon a time, seeing the green lock reliably indicated that you had visited a trustworthy site where it was safe to enter your credentials. Unfortunately, attackers have figured out how to fake this. How? They use Let’s Encrypt, a free SSL and TLS credentialing service.

Let’s Encrypt started with a great purpose. It was a crowd-funded initiative to allow website owners who could not afford security certificates from the big vendors to get certificates for free. Previously when an organization wanted to set up a secure website, they had to buy a certificate from a Certificate Authority. This could be prohibitive for small businesses and website owners. Making Let’s Encrypt both free and fully automated democratized the process.

This was a noble gesture, but bad actors quickly learned how to take advantage of it.

Now, anyone who runs a website can set up an automated process to get a Let’s Encrypt certificate for their domain. After the automation approves, websites are certified and the green lock will appear. In theory, this means they are legitimate, safe, and secure. In reality, you can’t be sure.

Best Practices to Avoid Credential Phishing

In order to protect yourself and your users from falling for credential phishing with false certificates, three steps should be taken:

Look for the Security Certificate: First does the website have a security certificate or symbol saying it is safe to proceed? All of today’s major brands will “Light the Lock”. If you don’t see a green lock, do not enter your credentials.

Look for the Certificate Issuer: Next, check to see who issued the certificate. Is it Let’s Encrypt? Reputable companies like Apple, Facebook, PayPal, etc will pay companies to be their Certificate Authority and will not use Let’s Encrypt. If you do see Let’s Encrypt, we suggest you don’t enter your credentials, because it may be a phishing attempt.

Check the URL: Third, as with any type of phishing, you should inspect the website you have visited by carefully reading the URL (ideally before clicking). If it looks correct or you are unsure, look over the website for any spelling errors, links that do not work, etc. If something doesn’t feel right, it probably isn’t. And you’re always better off safe than sorry.

Training users to spot phishing has always been hard, but it gets harder as attackers learn to fake security certificates like this. While we still think it’s very valuable to train your users, you also need a safety net in case something goes wrong.

The Safety Net You Need

DNS-based malware protection is the only way to make absolutely sure that your network is protected against all types of phishing. Strongarm has developed a specialized protection against this type of credential phishing attack. We’re calling it our “Percipient Certificate Domains” feed.

Based upon intelligence we collect, we are able to blacklist sites that generate Let’s Encrypt certificates for the purpose of phishing. This protects your users in case they accidentally click on a phish.

How does it work? We do this by monitoring all of the Let’s Encrypt certificates published in the crt.sh database. By looking for common brands and keywords, we can pull out the domains attackers are planning to use, long before they can use them.

This way, you can be sure that, even if one of your users makes a mistake and falls for credentials phishing, your network will be protected from malware automatically.